Fingerprint authenticator

The Fingerprint authenticator allows users to perform biometric authentication by the use of TouchID. The TouchID functionality is entirely handled by Apple's internal APIs and dedicated hardware - the TouchID scanner and Secure Enclave are encapsulated within the A7 chip which assures that the mathematical representation of a scanned fingerprint is not intercepted, eavesdropped or tampered with. The biggest gain of enabling Fingerprint Authentication is the improved end-user experience. Users are now enabled to access their sensitive data or authenticate transactions using TouchID fingerprint validation. The advantages are that they don't need to remember anything and it's faster.

Availability

A User can enable fingerprint authentication only if all the following requirements are met:

  • The device has hardware support for TouchID
  • The device is not Jailbroken
  • The user has already registered at least one fingerprint
  • The application configuration on the Token Server allows the use of fingerprint authentication

Limitation

When authentication with fingerprint fails, due to exceeded attempts, the fingerprint refresh token is not removed from the keychain. This is caused by the bug in the Security.framework which returns the same error in case the fingerprint authentication was cancelled by locking the device and when user exceeded the fingerprint attempts. If fingerprint had been deregistered when user exceeded fingerprint attampts it would have also been deregistered when user locks the device during fingerprint authentication. Fingerprint refresh token stays in the keychain until the user deregisters it manually and can be accessed only if the correct fingerprintis is provided. The number of attempts can be reset by providing the correct device passcode.

Fingerprint authenticator registration

Registering the fingerprint authenticator requires the user to perform PIN authentication. In order to successfully perform authentication implementing the userClient:didReceivePinChallenge:forUser: method of the ONGAuthenticatorRegistrationDelegate protocol is required on the delegate.

Implementing authenticator registration is described in the Authenticator topic guide.

Authenticate using fingerprint

Whenever fingerprint authenticator is available and set as preferred the user will be prompted to authenticate with fingerprint authenticator instead of PIN. SDK will call userClient:didReceiveFingerprintChallenge: method on your ONGAuthenticationDelegate. You will be able to choose how to respond to the challenge.

- (void)userClient:(ONGUserClient *)userClient didReceiveFingerprintChallenge:(ONGFingerprintChallenge *)challenge
{
    // Continue authentication using fingerprint with default prompt
    [challenge.sender respondWithDefaultPromptForChallenge:challenge];

    // Or use custom prompt
    [challenge.sender respondWithPrompt:@"Confirm money transfer" challenge:challenge];

    // Fallback to pin if needed
    [challenge.sender respondWithPinFallbackForChallenge:challenge];    

    // Or cancel challenge
    [challenge.sender cancelChallenge:challenge];
}

Because fingerprint scanning is not perfect (e.g. the user may have wet or dirty hands also the temperature may affect the scan result) the user can always choose to fallback to PIN authentication by pressing the "Cancel" button:

In case the user fails to scan a valid fingerprint within the allowed number of times, the SDK will automatically perform a fallback to PIN authentication. When this happens the SDK triggers a call to ONGAuthenticationDelegate#didReceivePinChallenge:challenge.

Fingerprint authenticator deregistration

Implementing authenticator deregistration is described in the Authenticator topic guide.

Jailbreak detection

The Jailbreak detection check is applied even if Jailbreak detection is disabled for the application. The reason is that Jailbroken devices are more vulnerable, as the application sandbox as well as KeyChain can be violated. The situation is even more serious for clients who are not using tampering protection and/or are running on older versions of iOS.